C rn I Electrical & Computer 
Mellow ¥ ENGINEERING 
University 





Prof. Philip Koopma [ itfa S 


"On two occasions | have been asked [by members of Parliament]: 
‘Pray, Mr. Babbage, if you put into the machine wrong figures, will 
the right answers come out?’ | am not able rightly to apprehend the 


kind of confusion of ideas that could provoke such a question." 
— Charles Babbage © 2020 Philip Koopman J 
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Security Pitfalls tee 







= Anti-Patterns: 
e Master password 
e Home-made cryptography 
Encryption used for integrity 
Unrealistic security assumptions 
Security via obscurity 


= Security can be counter-intuitive | 9. a) 
e Attacks are easier than you might think 


—- You must defend everywhere 4) 4) O O ©} = © © © © 


— The attacker need only succeed one time The Konami Code 
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Security Via Obscurity Is A Bad Idea! Mellon 


University 





oa7em Andy Greenberg, r. 


= Leaving a key under your doormat... _|Hacker Will Expose Potential 
Security Flaw In Four Million 
Hotel CTA Keycard Locks 


://goo. gl/b03nc | 





.. Is not secure 


el Att a C ke r S a re C eve r & re S O U rc efu | The system’s vulnerability nies Brocious says, from 
the fact that every lock’s memory is entirely exposed to 
® Th ey kn OW q| th e a t ri cks A whatever device attempts to read it through that port. 


Though each lock has a cryptographic key that’s 


° : . required to trigger its “open” mechanism, that string of 
e They have lots of Ul me to fi g ure th ngs out data is also stored in the lock’s memory, like a spare Key 


© Networks make systems more accessible hidden under the welcome mat 
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Use Strong Cryptography & Keys Mion 


ae http://goo.gl/havx4j 
= 






= Kerckhoff's Principle (from 1883!) —e 
e Secrecy should entirely rest on the secret encryption key | ae: 
e Assume public encryption algorithm ) 


= Almost always, home-made crypto is breakable : on maha = i 
e Use only public, vetted cryptography & security protocols yee Hi -: Talicls i 
- % 5 hiva\ Ay Heil ! toa 
e Use vetted implementations (not the book versions) 
Lorenz Cipher Machine: Tunny 


a Widely shared “secrets” will be revealed (Broken without seeing the machine) 
e Master passwords will leak out : | 
e Someone will reverse-engineer a unit 
= Strong, unique secret key for each item 
e Norecord kept at factory (database theft) ie aie 
e This pushes systems toward public key BE EEE Inbrbodgttsnvucn 
cryptography for initial information exchange A Chip Peel 
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Obscurity and Weak Passwords Are Bad! 




















Researchers hack a pacemaker, kill a man(nequin) 
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Computerworld Sep 8, 2015 8:08 AM PT 
Credit: | 


While killing a simulated human via hacking Is less dramatic than 
wirelessly murdering a real human via a keyboard, researchers 
said it can be done by “a student with basic information 
technology and computer science background; the medical 
mannequin attackers had no penetration testing skills, but 
successfully launched brute force and denial of service attacks 


as well as attacks on security controls. https://goo.gl/YOzwz0 


Reaver Used To Break WPA WiFi Protected Setup PIN 





Thanks to Phil Carmody <fatphil@asdf.org> for additional tweaks. a 
DVD-logo shaped version by Alex Bowley <alex@hyperspeed.org> si 5 


Hdefine m(i)(x[i]*s[1+84])<< 








Author: Charles M. Hannum <root@ihack.net> */} https://goo.gl/PvzgQy 


cat title-key scrambled.vob | efdtt >clear.vob */ 


DVD Decrypt in C 





unsigned char x[5] »¥»S[2048] ;main( (ASCII Art Version) 
n){for( read(@,x,5 );read(@,s ,n=2048 
write(1  ,s,n) )if(s 
[y=s [13]%8+20] /16%4 == ){int a 
i=m( 1)17 *256 +m(@) 8,k =m(2) Only a 40-bit key 
0, j= m(4) 17% m(3) 9%k* 2-k%8 
A8,a =0,C =26;for (s[y] -=16; 
==€3] *=2)a= a*2*i& Lgt=3 -f2" 761 
¢<24;:for( j= 127; ++j<n;c=c> 





POLIST TEEN HINCRS HIS CITY'S TRAMS, 
CHAOS ENSUES jue 


A teenager in Lodz, Poland 

hacked the city’s tram system 

with a homemade transmitter 

that tripped rail switches and 

redirected trains, a prank that 

derailed four trams and injureda & 

dozen people. https://goo.gl/LSOVD9 
According to reports in the Register and the Telegraph, the 14-year-old boy - 
described by his teachers as an electronics genius (Gee- you think?) - spent 
months studying the city’s rail lines to determine the best places to redirect 
trains and cause the most havoc, then converted an old TV remote into an 
infrared transmitter capable for tripping the switches. 
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How You Use Cryptography Matters Melly 


University 





_ fittps://goo.gl/vBLQcz 










m Use the right mechanism for the job | — : 
e Encryption for secrecy, not for authentication B, eee Sees eaess 
e Use secure hash/digital signature for integrity : woancacen 
= Dont forget about export restrictions 
e Encryption might be weakened by short keys : ve Se 
e Typically no strength limits on hash/signatures Davis Besse Nuclear Plant. 
= Consider your assumptions ~~ aagacaaa 


infects plant 


Meme 

: Se 

Ge eee 

Mh EE < 
, 5 Se wnat 






Impact: Complete shutdown of digital 


e Proprietary protocols are obscurity, not SECUFItY portion of Safety Parameter Display 
System (SPDS) and Plant Process 






e Firewalls are often permeable Computer (PPC) 
; : : Specifics: Wot siamemee contractors HP eyaml-rlaatctek 
e Customers will leave default configuration 2! «Secure remote (trusted) access 





orm jumped from corporate to plan channels 


network and found an unpatched Ensure Defense-in-depth 


strategies with appropriate 
procurement requirements 


=m Make the system usable 
e People prefer weak passwords (1234, 777) months nd | eee 
M7) Security applied 


e Complex passwords get written on sticky notes https://goo.gl/10pMJP 
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US AIRWAYS 


— es” Internet Explorer Script Error 


ee 


ae AN An error has occurred in the scnpt on this page. 
—- ¥ a 

Line: » 3235 

Char 36 

Error Subscript out of range: 'CurrentAd’ 


Code 0 











Do you want to continue running scripts on this page? 


Yes | No 


To Select a | 


VioVv ies 
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Secure Communications & Firewalls 
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m Securing safety critical + infotainment 


we 
uy Logistical 
: Shy ge ‘ Ng g Trusted 
e Insert a firewall (helps, but has limitations) Phstueste | hay ae 
e Add integrity checks in data field Ste Re 
e e e e e < SupPoR ntruste 
e Encrypt (but, this might not help with integrity) $ ‘“°* Were 











= Most legacy embedded networks insecure 








Services Other Vehicles 





e No encryption anna mieten 
e No authentication 
e Non-secure integrity checks (CRC, checksum) 


(navigation, lighting, 
air conditioning, etc.) 


Vehicle Mission 
Maintenance — Planning 


VEHICLE 





Passenger 
Electronics 
(Bluetooth; WiFi) 
3rd Party 
Subsystems 





Safety Critical 


=m Many pitfalls here — tricky area Real Time 











Control Functions 
e Usually “air gap’ is infeasible due to functionality 


e Avoid permitting general purpose/risky packets through firewall 
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Security Testing Isn’t Enough Nilo 





= Security testing typically finds 
currently known problems 


e Some problems known but not 
publicly announced 


‘Zero Day’ vulnerabilities 
e More problems will be discovered 
after you ship = patches 
=m Attacks will likely increase over time 


e How will you respond to 
emergent threats? 


= Use lists of common weaknesses to 
avoid making mistakes 


e https://cwe.mitre.org/index.html 


University 


Forbes 

Shopping For Tate ‘ene. 

A Price List For Hackers' Secret 
Software Exploits  *"¥srse 


ADOBE READER $5,000-$30,000 
MAC OSX $20,000-$50,000 
ANDROID $40,000-$60,000 
FLASH OR JAVA BROWSER PLUG-INS $40,000-$100,000 
MICROSOFT WORD $50,000-$100,000 
WINDOWS $60,000-$120,000 
FIREFOX OR SAFARI $60,000-3150,000 
CHROME OR INTERNET EXPLORER 980,000-$200,000 
10S $100,000-$250,000 


http://www. forbes.com/sites/andygreenberg/2012/03/23/shopping-for- 
zero-days-an-price-list-for-hackers-secret-software-exploits/ 
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security Snake Oil (avoid these!) iH ek we 


m Secret system 


e Security claims rest even in part on “we wont tell you how 
we do it’ or “we have a proprietary algorithm” 


e Good systems are secure even against the actual system designer 


e Security should be based on the secret key (which means the 
actual system designer can’t know the secret key in all devices) 


m Technobabble 
e Buzzwords don't make you secure 
m Were “unbreakable” 
e No, they're not. Best you can do is a sufficiently high cost to break 
=m Strong claims about weak systems 
e 2008 hard drive used AES for encrypting the key — but only XORd the key with the data 
e Are secret keys sent in unencrypted? http:/www.h- 


online.com/security/features/Encl 


e Does the manufacturer have a back door device key? mR pagan 
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http://en.wikipedia.org/wiki/Snake_oil_ (cryptography) 
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Best Practices For Avoiding Security Pitfalls University 





= Avoid Common Pitfalls: 
e Security via obscurity 
e Master password 
e Home-made cryptography 
e Encryption used for integrity 


e Unrealistic security assumptions 


= Consult a specialist 


e Security is complex & often 
counter-intuitive; get some help! 





How To Hack An Electronic Road Sign 
ee cores. = JALOPNIK 
es 


http://jalopnik.com 








DO NOT under any circumstances run around hacking into electronic road 


signs using the information contained in this step-by-step guide of how to 
transmit hilarious messages to passing motorists. 
** HACKER TIPS ** Should it will ask you for a password. Try "Hi, 


the default password. 
In all likelihood, the crew will not have changed it. Howe 








they did, 
never fear. Hold "Control" and "Shift" and while holding, enter yy. 
This will reset the sign and reset the password to '{" in the process. 


You're in! 
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WE'VE BEEN TRYING FOR DECADES TO | | MAYGE WE SHOULD TRY 
GIVE PEOPLE GOOD SECURITY ADVICE. | | TO GIVE GAD ADVICE? 


TIPS ACTUALLY MADE THINGS WORSE. 


BUT IN RETROSPECT, LOTS OF THE T GUESS IT'S 
WORTH A SHOT. Smart Home Security 


/ 


SECURITY TIPS 


(PRINT OUT THIS LIST AND KEEP IT 
IN YOUR BANK SAFE. DEPOSIT BOX, 


¢ DON'T CLICK LINKS To WEBSITES 

¢ USE PRIME NUMBERS IN YOUR PASSWORD 

¢ CHANGE YOUR PASSWORD MANAGER MONTHLY 

¢ HOLD YOUR BREATH WHILE CROSSING THE BORDER 

e INSTALL A SECURE FONT 

¢ USE A2-FACTOR SMOKE DETECTOR 

¢ CHANGE YOUR MAIDEN NAME REGULARLY 

¢ PUT STRANGE USB DRIVES IN A BAG OF RICE OVERNIGHT 
¢ USE SPECIAL CHARACTERS LIKE & AND % 

¢ ONLY READ CONTENT PUBLISHED THROUGH TOR.COM 

¢ USE A BURNER'S PHONE 

° GET AN SOL CERTIFICATE AND STORE IT IN A SAFE PLACE 


° IF A BORDER GUARD ASKS TO EXAMINE YOUR LAPTOP YOU 
HAVE A LEGAL RIGHT To CHALLENGE THEM TO A CHESS 
GAME FOR YOUR SOUL. https://xked.com/1820/ 








r— HOW LONG YOU'VE. HAD YOUR SMART APPLIANCE — 
G MONTHS 1YEAR 5S YEARS = 10 YEARS 


YOURE CONSTANTLY 
BEING RESCUED FROM 
PERIL BY A FACELESS 
TEAM OF ENGINEERS 
WHO COULD WANDER 
AWAY AT ANY TIME , 


“~ 
- 


YOUR APPLIANCE 1S 
PART OF A BOTNET RUN 
BY ORGANIZED CRIME 


If they're getting valuable enough stuff from you, at least the organized crime folks have an incentive to issue regular 
updates to keep the appliance working after the manufacturer discontinues support. 


https://www.xkcd.com/1966/ 


